Active Member B4RC0D3 1001 Posted May 26, 2020 Active Member Share Posted May 26, 2020 (edited) M2 Download Center This is the hidden content, please Sign In or Sign Up ( Internal ) Hello togehter, today i want to share a small, but in my opinion, usefull security upgrade for your player password-hashes. The current default hash, which is used by the most of you (some exeptions might be out there) is the MD5 Hash. This hash might be not the best choice for hashing passwords in this modern days. This is why i thought about something to change there. And my solution for this is This is the hidden content, please Sign In or Sign Up . This Method had won the Password Hashing Competition and this is why i had choosen this over bcrypt or scrypt. This tutorial isn't a 100% beginner firendly guide! Just follow my instructions if you got a little bit of c++ knowledge and know how to work with the source! Create the libargon2 Spoiler 1. Download the Git-Repo as ZIP File from This is the hidden content, please Sign In or Sign Up and extract it. 2. Create a folder by your libgame folder and name it libargon2 3. Now copy include, src, Makefile and libargon2.pc.in into the new created folder libargon2. Now your folder should look like this: Spoiler 4. Now upload this libargon2 to your compile server and get into the folder. 5. Enter the command: "gmake all" and wait for it to finish. 6. Move to your game source and open the Makefile. 7. Search for the MAINCPP = main.cpp part inner the Makefile and add the code below above this line NOTE: You might need to edit the Path to your libargon2! # Argon2 INCDIR += -I../../libargon2/include LIBDIR += -L../../libargon2 LIBS += ../../libargon2/libargon2.a Now it should look like this: Spoiler Your done for the libargon2! Change the hash inner the game-core source (DEFAULT PASSWORD() MYSQL FUNC TUTORIAL) Spoiler 1. Open the db.cpp and add on the top: #include "../../libargon2/include/argon2.h" 2. Search for: char szEncrytPassword[ char szPassword[ and replace it with char szEncrytPassword[EArgon2::HASH_LENGHT * 2 + 1] = {0, }; char szPassword[EArgon2::HASH_LENGHT * 2 + 1] = {0, }; 3. Search for: "SELECT PASSWORD('%s'),password,securitycode,social_id,id,status,availDt - NOW() > 0," 4. Remove the PASSWORD( ... ) Part and make it look like: "SELECT '%s',password,securitycode,social_id,id,status,availDt - NOW() > 0," 5. Now search a bit below for szLogin and add before Argon2PasswordHash(pinfo->passwd).c_str(), This should look like this: Spoiler 6. Search for AccountDB::AccountDB() : and add above this pice of code: std::string DBManager::Argon2PasswordHash(const char* c_pszPassword) { std::string returnStr = ""; uint8_t hash[EArgon2::HASH_LENGHT]; uint8_t salt[] = "MYSALTISCOOL"; uint32_t saltlen = strlen((char*)salt); uint8_t* pwd = (uint8_t*)strdup(c_pszPassword); uint32_t pwdlen = strlen((char*)pwd); argon2id_hash_raw(EArgon2::TIME_COST, EArgon2::MEMORY_COST, EArgon2::PARALLELISM, pwd, pwdlen, salt, saltlen, hash, EArgon2::HASH_LENGHT); free(pwd); char s_buffer[EArgon2::HASH_LENGHT * 2 + 1]; memset(s_buffer, 0x00, sizeof(s_buffer)); for (uint32_t i = 0; i < EArgon2::HASH_LENGHT; ++i) { sprintf(s_buffer + (i * 2), "%02x", hash[i]); } returnStr = s_buffer; return returnStr; } 7. Now open the DB.h file and add above typedef struct SUseTime this piece of code: enum EArgon2 { HASH_LENGHT = 64, TIME_COST = 2, MEMORY_COST = 1 << 16, PARALLELISM = 1 }; 8. Now search for std::vector<TUseTime> m_vec_kUseTime; and add below: public: std::string Argon2PasswordHash(const char* c_pszPassword); 9. Open up the input_auth.cpp and search again for: "SELECT PASSWORD('%s'),password,securitycode,social_id,id,status,availDt - NOW() > 0," 10. Change it to: "SELECT '%s',password,securitycode,social_id,id,status,availDt - NOW() > 0," 11. Look a bit below and change: szPasswd, szLogin); //CHANGE TO DBManager::Instance().Argon2PasswordHash(szPasswd).c_str(), szLogin); For now you just need to edit the account.account table and set the size for the password to 128 (Why 128? Db.h EArgon2::HASH_LENGTH = 64. 64 * 2 = 128) And you need to replace your hashes with the argon2 once. For this follow the link to the generation: https://argon2.online Example config for the tutorial setup: Have fun Edited August 25, 2022 by Metin2 Dev Core X - External 2 Internal 37 2 1 1 1 14 38 Link to comment Share on other sites More sharing options...
Active Member hachiwari 138 Posted May 26, 2020 Active Member Share Posted May 26, 2020 Nice! btw. did you check or test the performance between old and new encryption? 1 Link to comment Share on other sites More sharing options...
Management Karbust 4884 Posted May 26, 2020 Management Share Posted May 26, 2020 And is it compatible with PHP? On MySQL8 the PASSWORD function is already deprecated. Why add a new lib when you can have SHA256 or SHA512 with salt (both hashes available on MySQL and cryptopp, which is already necessary)? Link to comment Share on other sites More sharing options...
Active Member B4RC0D3 1001 Posted May 26, 2020 Author Active Member Share Posted May 26, 2020 (edited) 1 hour ago, hachiwari said: Nice! btw. did you check or test the performance between old and new encryption? No i didn't tested the Performance difference. 1 hour ago, Karbust said: And is it compatible with PHP? On MySQL8 the PASSWORD function is already deprecated. Why add a new lib when you can have SHA256 or SHA512 with salt (both hashes available on MySQL and cryptopp, which is already necessary)? Because, simplified , you can change so many parts on their input that the Output will be different. Even if you use the same password and salt the hash will be different in many ways. Test it with the online generator. If you just change the memory or the iterations ... You will get different outputs. So as an attacker i need all of this informations and not just to know the hash algorithm and can search for some rainbow tables and maybe find some Data. Even generated keys, which are stored on the server can be loaded by the algorithm to enhance the security of your system. So its hard to get rainbow tables or otherwise forced Data out of a argon2 Hash. SHA is good, that not the point here. But Argon2 can be better in a easier way of use. (OFC it is my personal way of thinking, so its free to everyone if they want to use it or not) €dit: Yes since PHP 7.2 Argon2 is useable as algorithm Edited May 26, 2020 by B4RC0D3 Link to comment Share on other sites More sharing options...
Alerin 463 Posted May 27, 2020 Share Posted May 27, 2020 (edited) 3 hours ago, Karbust said: And is it compatible with PHP? On MySQL8 the PASSWORD function is already deprecated. Why add a new lib when you can have SHA256 or SHA512 with salt (both hashes available on MySQL and cryptopp, which is already necessary)? password_hash https://www.php.net/manual/en/function.password-hash.php example: password_hash('test', PASSWORD_ARGON2I) to log in you need to do selecto on mysql with the email name. Download the password and compare with the function example SELECT `password` FROM `account` WHERE `login` = testhttps://www.php.net/manual/en/function.password-verify.php if(password_verify($_POST['password'], $row['password']){ return true; }else{ return false; } @TOPIC Nice idea, I was thinking recently whether to publish a similar solution. 3 hours ago, hachiwari said: Nice! btw. did you check or test the performance between old and new encryption? The performance is poorer, the longer the hash counts, the harder it is to break it. Imagine a computer that does 1 million md5 per sec and 1k argon2 per sec. Even if the calculation of it is longer, it does not affect the performance of the game. The user will not feel the difference when logging in 0.01sec for 0.1 sec Edited May 27, 2020 by Alerin 1 1 Link to comment Share on other sites More sharing options...
R3flex 2 Posted June 30, 2020 Share Posted June 30, 2020 Up, followed the tutorial, everything worked as intended. Thanks for sharing! Link to comment Share on other sites More sharing options...
Recommended Posts